Managing allowed URLs

Tanium as a Service deployments include a customer-specific proxy server that allows the URL destinations that are required for Tanium modules to work. Contact Tanium Support to request additional allowed destinations.

The URL expressions that you configure on the Administration > Permissions > Allowed URLs page control how the Tanium Server handles file downloads that the Tanium Client requests from Internet URLs. When the Tanium Client executes content (such as action packages or sensors), the script associated with that content might request a file from an Internet URL. The Tanium Client API uniquely identifies the download by URL, including file name. For security, the Tanium Client sends a message to the Tanium Server, which checks the requested URL against its lists of package file URLs and allowed URLs. The package file URLs are known URLs that the package author specified. You use the allowed URLs to account for dynamic URLs, such as URLs that a Tanium Client script computed. If the URL does not match either list, the request fails.

The first time the Tanium Server handles a Tanium Client file download request that passes the allowed URLs check, the server downloads the file and stores a temporary package file and metadata so that it can distribute the file to endpoints (see Tanium Client Management User Guide: File distribution). The allowed URLs configuration includes settings that affect how often the Tanium Server checks for changes to the requested URL files and how often the server clears temporary files.

Allowed URLs read permission is required to view allowed URLs configurations. Allowed URLs write permission is required to create, modify, or delete allowed URLs configurations. The Administrator reserved role has these permissions.

View allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.

    The page displays the settings that are described in Table 1.


  2. (Optional) To displays the identifier for each allowed URL, click Customize Columns Customize columns and select ID.
  3. (Optional) Enter a text string in the Filter items field to filter the grid by URL Expression.

Add allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Click New URL Expression.
  3. Configure the following settings and click Save.
  4.  Table 1: Allowed URL settings
    Setting Description
    URL/regular expression Specify a URL.

    To allow multiple files from a base URL, select Treat the above text as a regular expression and specify the regular expression (regex). For example, the following regex allows any download from www.microsoft.com:

    http\:\/\/www\.microsoft\.com\/.*

    Note that the value is case sensitive. For example, the regex https\:\/\/192\.0\.2\.1\/abc\.csv allows https://192.0.2.1/abc.csv but not https://192.0.2.1/ABC.csv. The regex to allow both files is https\:\/\/192\.0\.2\.1\/abc|ABC\.csv.

    When a Tanium Client initiates a download that passes this check, the Tanium Server downloads the file so that it can distribute it to Tanium Clients through the linear chain.

    Download Interval (Optional) Select Check for changes after and specify an interval at which the Tanium Server checks the URL for changes to the requested file. The default is every six hours. If the check indicates there are changes to the file, the Tanium Server updates its copy of the file and restarts the expiration clock. For URLs that are specified regular expression, a timer is maintained for each match.
    Expiration

    (Optional) Select Clean up downloaded files after and specify the interval for clearing stale packages. The default is seven days. This means that the Tanium Server deletes files that it has not downloaded and that Tanium Clients have not requested in the past seven days. If a Tanium Client subsequently requests the URL, the Tanium Server downloads it again and resumes the update checks. For URLs that you specify with a regular expression, the Tanium Server maintains a timer for each match.

Edit allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Select an allowed URL configuration and click Edit.
  3. Update the settings that Allowed URL settings describes and click Save.

Delete allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Select an allowed URL configuration and click Delete Edit.

Export or import allowed URLs

The following procedures describe how to export and import the configurations of specific allowed URLs or all allowed URLs.

Develop and test content in your lab environment before importing that content into your production environment.

Export allowed URLs

Export allowed URL configurations as a CSV file to view their settings in an application that supports that format. If your user account has a role with the Export Content permission, you can also export allowed URLs as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Select rows in the grid to export only specific allowed URL configurations. If you want to export all allowed URL configurations, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-allowed_urls-<date>T<time>.<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All allowed URL configurations in the grid or just the Selected allowed URL configurations.
  6. Select the file Format: JSON or CSV.
  7. Click Export.

    The Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import allowed URLs

You can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy allowed URL details

Copy information from the Allowed URLs page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.